This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article.

Hack of Twitter Account Exposes Social Media’s Weaknesses

Erroneous AP tweet about White House explosions sent stocks tumbling.

Less than a month after social media received regulators’ blessing to be a source for market-moving news, the hacking of the Associated Press’s Twitter Inc. account is raising concerns over the trustworthiness of information spread via the microblogging site.

Stocks tumbled about 1 percent yesterday after the Associated Press, one of the world’s largest news agencies, said a hacking attack caused it to send out an erroneous Twitter post about explosions at the White House. The Standard & Poor’s 500 Index recovered after losing $136 billion in market value and AP later removed the account.

The attack comes as Twitter Chief Executive Officer Dick Costolo is working to establish the service as a viable business and preparing a possible initial public offering. The U.S. Securities and Exchange Commission earlier this month said companies can use social-media sites such as Twitter and Facebook Inc. to share company announcements that can move markets. The AP incident poses a risk to Twitter’s brand as a vehicle for breaking news, and steps up pressure on the San Francisco-based company to bolster security for users, according to Wade Williamson, a senior security analyst at Palo Alto Networks Inc., a provider of network-protection tools.

“The account that got compromised is the big difference here, as opposed to the traditional impersonating-a-celebrity to say something shocking,” Williamson said. “When you impersonate someone people actually trust and have some sort of implicit belief in, it does very, very different things.”

The attack doesn’t appear to be particularly technically sophisticated and is likely an example of an account hijacking involving the theft of the AP account user’s password, Williamson said.

AP has suspended its Twitter account. The Federal Bureau of Investigation “is investigating the matter with the AP and Twitter,” said Jenny Shearer, an FBI spokeswoman, without elaborating.

The incident follows a week when social media played a prominent role after the Boston Marathon bombing, as Twitter postings and other updates contributed to the rapid spread of information. While some fanned rumors via Twitter, other posts were viewed as more reliable than traditional media. Investors should take steps to verify information even when it comes from seemingly trusted sources, according to Susan Etlinger, an industry analyst at San Mateo, California-based Altimeter Group.

“This is absolutely a danger of social media,” Etlinger said in an interview. “It doesn’t mean we need to throw out social media entirely; it just means we need much better methods for fact-checking and authentication.”

False Information

The false information from the AP account, which also said President Barack Obama had been injured, came after repeated attempts by hackers to gain access to AP reporters’ passwords, the news agency said. The AP said it was working to fix the vulnerability.

The news agency is the latest victim in a series of hacking cases against news outlets, including the Twitter accounts of CBS News’s “60 Minutes.” The television news program said earlier this week that its Twitter account was “compromised,” according to a posting on parent CBS Corp.’s account on April 20. Some of National Public Radio’s Twitter accounts were hacked as well, the company said last week.

The “60 Minutes” account has been suspended pending an investigation, according to Sonia McNair, a spokeswoman for CBS.

Twitter doesn’t offer two-factor authentication -- usually a second passcode delivered via mobile device -- to strengthen the security of accounts. Improved security for Twitter logins would give users more confidence that Twitter posts are coming from legitimate sources and not hacked accounts, he said.

Common tactics that hackers use to gain access to company accounts or user passwords include spear phishing attacks, in which someone is duped into installing malicious code onto their computer or mobile device, and malware hidden on websites, according to Eric Fiterman, a former FBI agent who recently founded the Washington-based cybersecurity company Spotkick.

Bogus Twitter feeds can damage the reputation of a business and possibly expose a company to lawsuits, said Nick Economidis, an underwriter with Beazley Plc, a financial-services company in London that sells data-breach insurance.

“A media publisher conceivably could be sued for negligence if things are published under their name that is not true and if they didn’t take reasonable steps to prevent the erroneous publication of information,” Economidis said in a phone interview.

Jim Prosser, a spokesman for San Francisco-based Twitter, and Fred Wolens, a spokesman for Menlo Park, California-based Facebook, declined to comment.

Maturing Medium

Corporations have been hacked as well. In February, the Twitter account for Jeep was taken over. About that same time, the account for Burger King also was compromised.

The SEC changed its guidance for companies distributing information April 3, following an investigation into Netflix Inc. Chief Executive Officer Reed Hastings. He had posted monthly viewership results on his Facebook page, rather than in an SEC filing or news release. Tesla Motors Inc. Chief Executive Officer Elon Musk also fueled the debate in March, when he sent Twitter postings that moved the electric-car company’s shares.

Shanna Hendriks, a spokeswoman for Tesla, declined to comment. Jonathan Friedland, a spokesman for Netflix, didn’t respond to a request for comment.

The SEC’s decision came amid the expanding reach of social media. Facebook has grown to more than 1 billion monthly users, while Twitter has more than 200 million.

Business Wire, the unit of Warren Buffett’s Berkshire Hathaway Inc. that distributes press releases, said the SEC’s decision earlier this month is hurting investors. The new policy raises “privacy concerns as users are required to register to gain access to material news, security risks that may adversely affect market stability,” Business Wire said in a statement April 4.

Twitter CEO Costolo said last month that “user growth drives everything” at the social-media company. Twitter has been expanding outside the U.S. and offering advertising tools to attract marketers as it prepares to become a public offering, possibly in 2014.

“Twitter is one of the most important social media platforms and a crucial part of a company’s business and communications,” Fiterman said. “Criminals, hackers and other types of threat actors will follow what gives them the greatest reach and most successful outcome.”

Treasury & Risk

Treasury & Risk is an online publication and robust website designed to meet the information needs of finance, treasury, and risk management professionals. Our editorial content, delivered through multiple interactive channels, mixes strategic insights from thought leaders with in-depth analysis of best practices, original research projects, and case studies with corporate innovators.